Our company has several systems to access information for our staff on the Internet. Some are internal (for example webmail) and some are external. Assuming we're starting from scratch, what's the best way to set up security for all systems and give each user a single username and password? What are the potential ramifications of doing this?
What you are describing, in a nutshell, is a single sign-on (SSO) system for a set of Web applications, some inside your company, and others outside.
There are a number of well-known products on the market for Web-based SSO. CA Inc.'s SiteMinder and RSA Security's Access Manager, which used to be called ClearTrust (and now owned by EMC Corp.), are just two of many products available. Other SSO products can be adapted for Web access, such as IBM Tivoli Access Manager, OpenConnect Systems Inc.'s WebConnect and the eToken from Aladdin Knowledge Systems Inc. Depending on the size of the organization, a hardware-based SSO solution, like the one offered by Imprivata Inc., might also be an option.
There are two main ramifications to consider when deploying SSO for Web access. First, SSO is a single point of security failure. In other words, if a malicious user gains access to a single user ID and password or other authentication credential,, he or she basically will have full run of corporate systems. On the other hand, SSO implementations involve a lot of planning and integration of diverse systems. As a result, they tend to have more built-in security features than standard user ID and password systems do.
Another thing to consider with Web SSO is the different risk levels of the Web applications being joined together. Webmail, for example, can both bring in malware and send out confidential data. Websites and applications that require a login aren't as risky as webmail. Security professionals might want to consider implementing data loss prevention (DLP) and content-filtering products to protect their sites from malware and data leakage.
Once corporate systems are linked via a single authentication system, security pros should make sure that all Web servers are hardened with up-to-date patches and antimalware software. As for the external websites, do a thorough risk analysis of partners before connecting up to their systems to eliminate any serious security vulnerabilities.
Two other security considerations with any SSO implementation are to make sure all users have unique user IDs and passwords -- no sharing of credentials should be allowed -- and organizations should log and monitor all access via the SSO system. These features are not only required for compliance, but are also security best practices. If corporate systems are attacked through the SSO system, it'll help track down the source of the breach.
This was first published in February 2008